Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About dmarling
dmarling
Builder
Member since:
02-22-2017
Community Statistics
| Posts | 228 |
| Solutions | 42 |
| Karma Given | 44 |
| Karma Received | 116 |
| Member Since | 02-22-2017 |
| dmarling@paychex.com |
Activity Feed
- Got Karma for Re: How to find all Dashboards, Reports and Alerts related to a specific index ?. 06-03-2025 11:43 AM
- Got Karma for Re: how to upload csv data file into splunk by using REST API? Can someone provide the exact URI Used to upload CSV File. I was confusing with the URI's provided by splunk.. 11-19-2024 04:43 AM
- Got Karma for Re: How to find all Dashboards, Reports and Alerts related to a specific index ?. 10-10-2024 01:43 AM
- Got Karma for Re: How to parse Json and extract all fields. 08-06-2024 10:08 PM
- Posted Re: How to combine two searches with common value into one table on Splunk Search. 06-28-2024 11:02 AM
- Got Karma for Re: How to combine two searches with common value into one table. 06-28-2024 10:48 AM
- Got Karma for Re: Setting a webhook alert via a proxy server. 05-26-2024 07:59 PM
- Got Karma for Re: In a Simple XML dashboard, is it possible to set a token when a user clicks the submit button?. 05-07-2024 03:15 AM
- Got Karma for Re: How to encode a URL for a Hipchat notification alert action if there is no urlencode() function?. 04-11-2024 02:06 PM
- Got Karma for Re: What would intermittently cause less events to return the raw data versus the total number of events it says it matched on?. 02-26-2024 01:38 PM
- Got Karma for Re: How to create a dashboard for server status i.e. whether it is up or not?. 02-19-2024 10:41 AM
- Got Karma for Re: How to find all Dashboards, Reports and Alerts related to a specific index ?. 01-30-2024 09:35 AM
- Got Karma for Re: How to combine two searches with common value into one table. 11-09-2023 10:33 AM
- Got Karma for Re: paychex/Splunk.Conf19 Cover Your Assets (CYA): Export error with fields tagged.abcd=efgh. 09-15-2023 02:24 AM
- Got Karma for Re: How to find all Dashboards, Reports and Alerts related to a specific index ?. 08-29-2023 03:04 AM
- Got Karma for Re: How to find all Dashboards, Reports and Alerts related to a specific index ?. 02-16-2023 06:40 AM
- Got Karma for Re: How to encode a URL for a Hipchat notification alert action if there is no urlencode() function?. 01-06-2023 09:45 PM
- Got Karma for Re: How to find all Dashboards, Reports and Alerts related to a specific index ?. 12-12-2022 11:11 PM
- Got Karma for Re: how to use string from lookup table in search. 12-05-2022 12:57 PM
- Got Karma for Re: Converting bytes to GB or MB. 11-21-2022 08:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 5 | |||
| 0 | |||
| 0 |
03-03-2020
01:21 PM
I'm glad I could help you! Please make sure to also accept the answer. Thank you!
... View more
03-03-2020
10:28 AM
1 Karma
Using mvindex will work for you use case, but you will need to wrap the field name in single quotes since there are special characters in the field name that mean concatenation when using where or eval: . Using this eval will get the first method_name in the stack: | eval first_method_name=mvindex('stack_trace{}.method_name', 0) Here's a run anywhere example using your own data to demonstrate it:
| makeresults count=1
| eval data="{\"stack_trace\":[{\"class_name\":\"FOO\",\"file_name\":\"BAR\",\"line_number\":\"-2\",\"method_name\":\"WALK\"},{\"class_name\":\"FOO2\",\"file_name\":\"BAR2\",\"line_number\":\"1356\",\"method_name\":\"JUMP\"},{\"class_name\":\"FOO\",\"file_name\":\"BAR\",\"line_number\":\"808\",\"method_name\":\"SKIP\"}]}"
| spath input=data
| eval first_method_name=mvindex('stack_trace{}.method_name', 0)
... View more
02-19-2020
08:45 AM
2 Karma
You can get the queries @efavreau and myself showed in our presentation from our git repo!
... View more
02-18-2020
12:42 PM
This is unfortunately not supported natively in splunk. There are some work arounds that you can find on answers. Here's some suggested answers to review:
https://answers.splunk.com/answers/346916/submit-button-per-panel-in-simple-xml.html
https://answers.splunk.com/answers/683916/submit-button-inside-a-panel-is-not-working.html
... View more
02-18-2020
12:36 PM
I would suggest you create a lookup file that contains a list of the job names and expected start times. That way you can perform a lookup by jobName and return the expected start time dynamically instead of doing it ad hoc in your query. That will also make it more maintainable in the future as you can simply modify the lookup file to reflect the new time.
If you need to account for the time for those changes, like it was 15:31:17 for jobName RLMMTP89 only from 1/1/2020 to 1/31/2020 you can make your lookup temporal, but you will need to add the timestamp that reflects when the new expected time is supposed to be selected.
Assuming you have do not need to make your lookup temporal, you can create a basic lookup table in Splunk using your sample data:
| makeresults count=1
| fields - _time
| eval data="RLMMTP90 20:30:11,RLMMTP72 13:22:46"
| makemv data delim=","
| mvexpand data
| rex field=data "(?<msgjobName>[^\s]+) (?<ExpectedStart>[^\e]+)"
| fields - data
| rename msgjobName as "msg.jobName"
| outputlookup expectedJobStarts.csv
Now that you have your starter lookup file expectedJobStarts.csv you can put that in your query
sourcetype="cf" source=l_cell msg.jobName = RLMMTP*
| spath "msg.status.Code"
| search "msg.status.Code"=*
| spath "msg.Type"
| search "msg.Type"=*
| spath "msg.message"
| search "msg.message"="RECORD PROCESSED"
| eval day = strftime(_time, "%d")
| stats earliest(timestamp) as startTime, latest(timestamp) as endTime count by msg.jobName
| eval startTime=substr(startTime,1,13)
| eval startTimeD=strftime(startTime/1000, "%H:%M:%S")
| lookup expectedJobStarts.csv "msg.jobName"
| eval ActualStart= startTimeD
| table msg.jobName ActualStart ExpectedStart
I have a couple additional suggestions with your search after looking at it. I suggest you add an index to your search as that will make your search performance significantly better and reduce load on your indexers memory for that search. It also appears that you are querying a json event which should not require the spath commands you are using. Since I don't know the index your data is under I'll use foo as a place holder. Another thing to consider is when you do a stats by the msg.jobName you may be joining together different jobs that run in that same queried time period if you aren't splitting by another field like the "day" field you created or ideally a transaction id that would hopefully be present in your events.
index=foo sourcetype="cf" source=l_cell msg.jobName = RLMMTP* msg.status.Code=* msg.Type=* "msg.message"="RECORD PROCESSED"
| eval day = strftime(_time, "%d")
| stats earliest(timestamp) as startTime, latest(timestamp) as endTime count by day msg.jobName
| eval startTime=substr(startTime,1,13)
| eval startTimeD=strftime(startTime/1000, "%H:%M:%S")
| lookup expectedJobStarts.csv "msg.jobName"
| eval ActualStart= startTimeD
| table msg.jobName ActualStart ExpectedStart
... View more
02-17-2020
05:12 AM
This is a better response. Thanks @manjunathmeti 🙂
... View more
02-13-2020
07:23 AM
I'm assuming the daily updated lookup file does not contain the asterisks around the keywords. You could create a scheduled search that runs after the daily update occurs on that lookup file. That search will update the lookup you will use for the wild card lookup definition. The below query can do that:
|inputlookup keyword.csv
| eval keywords="*".keyword."*"
| outputlookup wildcardkeyword.csv
You would then need to update your lookup definition to point at the wildcardkeyword file. I believe I have solved the request to add the keyword value from the csv to the results in my original answer. The screen shot shows that the value of the keyword field is present on the outputted table.
... View more
02-13-2020
06:50 AM
Hello,
The reason why it is failing is because your token is concatenating the results together and wrapping it in quotes. You need to specify the token value prefix and suffix and delimter in your xml like this:
<input type="multiselect" token="grade_name">
<label>Grade</label>
<default>9,6,7</default>
<fieldForLabel>grade_name</fieldForLabel>
<fieldForValue>grade_name</fieldForValue>
<search>
<query/>
</search>
<initialValue>9,6,7</initialValue>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>, </delimiter>
</input>
You also need to remove the quotes around the token in your search so it looks like this:
| inputlookup prod_students.csv
| table school_name, school_id,grade_name
| eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
| where grade_name IN ($grade_name$)
If you do that your output will look like this in the search with the default:
| inputlookup prod_students.csv
| table school_name, school_id,grade_name
| eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
| where grade_name IN ("9","6","7")
Previously it looked like this:
| inputlookup prod_students.csv
| table school_name, school_id,grade_name
| eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
| where grade_name IN ("967")
... View more
02-13-2020
05:49 AM
Hi @Glasses
I believe I have the answer to your question. The easiest way to do this is to use a lookup definition with a wildcard lookup since you already have asterisks surrounding your keywords in the lookup file. I wrote a run anywhere example to demonstrate how to do this. First I generated a keyword.csv lookup file using your sample data:
| makeresults count=1
| fields - _time
| eval data="*red*,34948-kjas
*green*,89050-kjec
*blue*,89008-nkme"
| rex field=data max_match=0 "(?<data>[^\n]+)"
| mvexpand data
| rex field=data "(?<keyword>[^\,]+),(?<keyword_ID>[^\e]+)"
| rename keyword_ID as keyword-ID
| fields - data
| outputlookup keyword.csv
I then created a wildcard lookup definition and titled it wildcardKeywords:
I updated the permissions so others could use it too, but that may not be necessary. Once you have that lookup definition you will need to add that to your query with the below syntax using your example from the question:
[| inputlookup keyword.csv
| fields keyword
| rename keyword as file-name] index=foo sourcetype=bar
| lookup wildcardKeywords keyword as "file-name" output keyword as Matched
| eval Matched=trim(Matched, "*")
| stats count by Matched
I have also created a run anywhere example that uses the example lookup that I created earlier:
| makeresults count=1000
| eval random=round(random() % 5,0)
| eval file_path=case(random=0, "/foo/bar/blue-foo.log", random=1, "/bar/foo/red/blue-bar.log", random=2, "/foo/bar/green/red-foo.log", random=3, "/bar/foo/green.log", random=4, "/foo/bar/red.log", random=5, "/foo/bar/foobar.log")
| lookup wildcardKeywords keyword as file_path output keyword as matched
| eval matched=trim(matched, "*")
| stats count values(file_path) as examples by matched
This will produce the below results. The counts will be different since I used random to generate data:
... View more
01-16-2020
11:37 AM
Per their documentation they use PCRE: Splunk regular expressions are PCRE (Perl Compatible Regular Expressions) and use the PCRE C library.
https://docs.splunk.com/Documentation/Splunk/8.0.1/Knowledge/AboutSplunkregularexpressions
Traditionally the PCRE (PHP) engine on the regex101.com website is used for regex trouble shooting with splunk and has been extremely accurate in my personal use with it and with other Splunk users on this board.
... View more
01-16-2020
10:22 AM
The best way to know if a regex is good or not is to put some examples of martian packets into a www.regex101.com example with your regex. It will tell you the amount of steps that is takes to accomplish the extraction. I would then save it on that website and share the link on your question so people have some sample data to work with.
... View more
01-16-2020
10:02 AM
This query will accomplish that request:
| tstats count by _time span=1m host
| eventstats sum(count) as Total by _time
... View more
01-16-2020
06:28 AM
The below xml will accomplish this on initial page load, but after that it's all bets are off. I don't really understand why you need to do this but it will work:
<form>
<label>Double Time inputs</label>
<fieldset submitButton="false">
<input type="time" token="timetok1">
<label>time input 1</label>
<default>
<earliest>-7d@w0</earliest>
<latest>@w0</latest>
</default>
</input>
<input type="time" token="timetok2">
<label></label>
<default>
<earliest>$timetok1.earliest$</earliest>
<latest>$timetok1.latest$</latest>
</default>
</input>
</fieldset>
</form>
On page load it will default the second time input with whatever is in the first time input as long as you don't have the second token timetok2 in the url. If you change the first time input after that point or if you have the timetok2 defined in the url as anything other than form.timetok2.earliest=%24timetok1.earliest%24&form.timetok2.latest=%24timetok1.latest%24 , it will ignore whatever is in the first time field.
... View more
01-16-2020
06:19 AM
If you could provide the rest call that is failing and the failure message that would help us answer your question. My first guess is if you are attempting to pass in a greater than or less than symbol in the body of the transmission, you most likely need to make it a utf-8 url encoded greater than: %3E or less than: %3C
... View more
01-15-2020
11:46 AM
You are on the correct path, you should avoid using empty sets in any fields unless some very specific use cases. Your evals should be this EVAL-sensor_01 = if(valueName="raw_sensor_01", value, null()) The null() command makes it a null value instead of an empty set.
... View more
12-06-2019
05:31 AM
Yep, this is an easy fix. Modify your query by adding a filter at the end to only include when they match:
(sourcetype="snow:task_sla" dv_has_breached=false dv_stage=Completed dv_sla="FW-Guasto non bloccante fuori sede no A-SLA21") OR sourcetype="snow:incident"
| eval joiner=if(sourcetype="snow:task_sla", dv_task, dv_number)
| stats values(dv_task) as dv_task values(dv_number) as dv_number values(dv_sla) as dv_sla by joiner
| where dv_task=dv_number
... View more
12-05-2019
08:54 AM
5 Karma
You'll see this answer a lot on here. You should avoid joins except for some very specific use cases. Joins are inefficient and can cause truncation of your data results, since it has a default limitation of only running for 30 seconds and then auto finalizing. I suggest doing this instead:
(sourcetype="Sourcetype_A" s1_field4="Completed") OR sourcetype="Sourcetype_B"
| eval joiner=if(sourcetype="Sourcetype_A", s1_field2, s2_field1)
| stats values(*) as * by joiner
| where s1_field2=s2_field1
Season the above query to taste by only putting the fields you want in the third line. What this is doing is pulling in both data sets and joining them together with a stats command. This is won't run into those timing limitations that a join would and be more performant.
I edited the answer so it only returns results where those two fields match.
... View more
11-21-2019
12:11 PM
The iteration you were using of the "checklist" extract was pulling data from the first line after "Calling Checklist1003" until "-", but in one of the examples there was another line between which broke that logic. I adjusted it to go to the first line AFTER the line of "-" to start the "checklist" field and that fixed it. Sorry about that.
... View more
11-21-2019
11:44 AM
I see what happened. This should fix it:
index=du sourcetype="du:sbaservice-log"
| rex field=_raw mode=sed "s/([\n\r\s]+)\d{2}\/\d{2}\/\d{4} \d{2}:\d{2}:\d{2}.\d{3}/\1/g"
| rex field=_raw max_match=0 "Calling Checklist1003[^\-]+[^\n]+\n[^\n]+(?<checklist>[^\-]+)"
| rex field=checklist "Description: (?<Description>[^\e]+)"
| rex field=_raw "INST_INFO\:\s\d+\|(?.*)\|"
| rex field=_raw "lenderCaseNo\s[(?\d+)]"
| eval BTime = strptime(Begin_time, "%H:%M:%S.%3N")
| eval CTime = strptime(Completion_time, "%H:%M:%S.%3N")
| eval ResTime=CTime-BTime
|table Description lenderInstName lenderCaseNumber Begin_time Completion_time
... View more
11-21-2019
11:21 AM
Are you only wanting stuff after Checklist1003? Running the below run anywhere example returns results I expect:
| makeresults count=1
| eval _raw="11/21/2019 12:52:49.929 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:49.929 Fault type: Application Severity: Info
11/21/2019 12:52:49.929 Description: Verification Successful
11/21/2019 12:52:49.929
11/21/2019 12:52:49.929 ----------------------------------------------------------------
11/21/2019 12:52:49.929 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:49.929 Fault type: Application Severity: Info
11/21/2019 12:52:49.929 Description: No errors were detected
11/21/2019 12:52:49.929
11/21/2019 12:52:49.929 Performing a CaseInit
11/21/2019 12:52:49.929 LOAN_APPLICATION found. Send to store as Original Mismo 1003!
11/21/2019 12:52:50.604 Validating reply from CaseInit
11/21/2019 12:52:50.604 ----------------------------------------------------------------
11/21/2019 12:52:50.604 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:50.604 Fault type: Application Severity: Info
11/21/2019 12:52:50.604 Description: CaseInit completed successfully
11/21/2019 12:52:50.604
11/21/2019 12:52:50.604 Inst ID set for EH-020 [12121231]
11/21/2019 12:52:50.604 Casefile ID [xxxxxxx]
11/21/2019 12:52:50.604 lenderCaseNo [yyyyyyy]
11/21/2019 12:52:50.604 OperStatus_in_mp_casefile_set is not defined.
11/21/2019 12:52:50.604 Calling Credential service to get traits
11/21/2019 12:52:50.624 ----------------------------------------------------------------
11/21/2019 12:52:50.624 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:50.624 Fault type: Application Severity: Info
11/21/2019 12:52:50.624 Description: InstTraitRequest completed successfully
11/21/2019 12:52:50.624
11/21/2019 12:52:50.625 Call RESTBridge for conventional loan with GUID [abbababsbasasas],
11/21/2019 12:52:50.625 INST_INFO: 12121231|somecompany
11/21/2019 12:52:50.625
11/21/2019 12:52:50.625 Begin RESTBridgeSubsystem::callRESTBridge() ...
11/21/2019 12:52:50.625 BASE_GUID for VDVS [abbababsbasasas]
11/21/2019 12:52:50.625 Begin RESTBridgeSubsystem::sendRESTBridgeClientRequest...
11/21/2019 12:52:50.625 Call RESTBridgeProxy.sendRESTBridgeRequest:
11/21/2019 12:52:50.625 Svcname= RESTBridge
11/21/2019 12:52:50.625 Major= 1
11/21/2019 12:52:50.625 Minor= 0
11/21/2019 12:52:50.625 Command= RESTBridge
11/21/2019 12:52:50.628 End RESTBridgeSubsystem::sendRESTBridgeClientRequest
11/21/2019 12:52:50.628 End RESTBridgeSubsystem::callRESTBridge()
11/21/2019 12:52:50.628 SBAWF13Service_Impl:Underwrite:BESTFIT_PRODUCT_SPECIFICATIONS file attachment is not found. This is NOT a multi-product case
11/21/2019 12:52:50.629 Determine ProdAlt case:
11/21/2019 12:52:50.629 ProdAlt Flag [OFF]
11/21/2019 12:52:50.629 LoanType [01]
11/21/2019 12:52:50.629 prodAltTrait [0]
11/21/2019 12:52:50.629 This is NOT a Product alternative case!
11/21/2019 12:52:50.629 CONVERSION_TARGET: RES,HTML
11/21/2019 12:52:50.629 User format Request: XML,HTML
11/21/2019 12:52:50.629 Determining the underwriting service to be used
11/21/2019 12:52:50.629 Set to use Default engine UWROUTER,1,0 for underwriting
11/21/2019 12:52:50.629 Underwrite::determineUWService::multiProductCase =0
11/21/2019 12:52:50.629 This is not a multi-product case.
11/21/2019 12:52:50.629 ----------------------------------------------------------------
11/21/2019 12:52:50.629 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:50.629 Fault type: Application Severity: Info
11/21/2019 12:52:50.629 Description: This is a resubmission of a case that was underwritten using the
11/21/2019 12:52:50.629 UW_10.30 KB engine
11/21/2019 12:52:50.629
11/21/2019 12:52:50.629 UWROUTER service will be used for underwriting
11/21/2019 12:52:50.629 ----------------------------------------------------------------
11/21/2019 12:52:50.629 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:50.629 Fault type: Application Severity: Info
11/21/2019 12:52:50.629 Description: This case will be underwritten using UWROUTER 1.0
11/21/2019 12:52:50.629
11/21/2019 12:52:50.629 Calling Checklist1003
11/21/2019 12:52:50.670 ----------------------------------------------------------------
11/21/2019 12:52:50.670 Message type: Code: -1 dec, ffffffff hex
11/21/2019 12:52:50.670 Fault type: Unknown Severity: Info
11/21/2019 12:52:50.670 Description: Begin file type 104 checklist.
11/21/2019 12:52:50.670
11/21/2019 12:52:50.676 ----------------------------------------------------------------
11/21/2019 12:52:50.676 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:50.676 Fault type: Application Severity: Info
11/21/2019 12:52:50.676 Description: Checklist1003 completed successfully
11/21/2019 12:52:50.676
11/21/2019 12:52:50.676 SBAWF13Service_Impl.Underwrite: _creditReptMISMO = '1'
11/21/2019 12:52:50.676 SBAWF13Service_Impl.Underwrite: _MISMOVersion = '2.1'
11/21/2019 12:52:50.684 Loan Type: [01]
11/21/2019 12:52:50.708 ----------------------------------------------------------------
11/21/2019 12:52:50.708 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:50.708 Fault type: Application Severity: Info
11/21/2019 12:52:50.708 Description: createCrReportRequest completed successfully
11/21/2019 12:52:50.708
11/21/2019 12:52:50.708 No Credit Report requests are needed
11/21/2019 12:52:50.708 Calling ChecklistCred
11/21/2019 12:52:50.719 SINGLEIN=0
11/21/2019 12:52:50.732 ----------------------------------------------------------------
11/21/2019 12:52:50.732 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:50.732 Fault type: Application Severity: Info
11/21/2019 12:52:50.732 Description: ChecklistCred completed successfully
11/21/2019 12:52:50.732
11/21/2019 12:52:50.732 Autocopy not requested
11/21/2019 12:52:50.732 command : UNDERWRITE
11/21/2019 12:52:50.732 du underwrite : 1
11/21/2019 12:52:50.732 set BASE_GUID for DUKB service: abbababsbasasas
11/21/2019 12:52:50.732 Set processUndewrriteVars.conversionTarget = RES,HTML
11/21/2019 12:52:50.732 Call IDGen for Doc_Type[1], ID_Type[4], ID_Qty[1]
11/21/2019 12:52:50.749 IDGen returns condition [SUCCESS]
11/21/2019 12:52:50.749 Successfully retrieved new FindingID: 2085534376
11/21/2019 12:52:50.749 command : Underwrite
11/21/2019 12:52:50.749 du underwrite : 1
11/21/2019 12:52:50.749 Performing DU underwrite ...
11/21/2019 12:52:50.749 Calling UWROUTER 1.0 to underwrite the case
11/21/2019 12:52:50.750 Command[KB_Underwrite] set for Underwrite!
11/21/2019 12:52:52.901 Validating reply from UWROUTER_1_0
11/21/2019 12:52:52.901 ----------------------------------------------------------------
11/21/2019 12:52:52.901 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:52.901 Fault type: Application Severity: Info
11/21/2019 12:52:52.901 Description: UWROUTER completed successfully
11/21/2019 12:52:52.901
"
| rex field=_raw mode=sed "s/([\n\r\s]+)\d{2}\/\d{2}\/\d{4} \d{2}:\d{2}:\d{2}.\d{3}/\1/g"
| rex field=_raw max_match=0 "Calling Checklist[^\-]+[^\n]+\n[^\n]+(?<checklist>[^\-]+)"
| rex field=checklist "Description: (?<Description>[^\e]+)"
... View more
11-21-2019
10:47 AM
You still had field=data which was just for my example. This will fix that:
index=du sourcetype="du:sbaservice-log" du_service="sbawf1.3"
| rex field=_raw mode=sed "s/([\n\r])\d{2}\/\d{2}\/\d{4} \d{2}:\d{2}:\d{2}.\d{3}/\1/g"
| rex field=_raw max_match=0 "Calling Checklist[^\-]+[^\n]+\n[^\n]+(?<checklist>[^\-]+)"
| rex field=checklist "Description: (?<Description>[^\e]+)"
| rex field=_raw "INST_INFO\:\s\d+\|(?.*)\|"
| rex field=_raw "lenderCaseNo\s[(?\d+)]"
| eval BTime = strptime(Begin_time, "%H:%M:%S.%3N")
| eval CTime = strptime(Completion_time, "%H:%M:%S.%3N")
| eval ResTime=CTime-BTime
... View more
11-21-2019
10:07 AM
It didn't work on your most recent example but this will:
| makeresults count=1
| eval data="11/21/2019 12:52:49.929 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:49.929 Fault type: Application Severity: Info
11/21/2019 12:52:49.929 Description: Verification Successful
11/21/2019 12:52:49.929
11/21/2019 12:52:49.929 ----------------------------------------------------------------
11/21/2019 12:52:49.929 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:49.929 Fault type: Application Severity: Info
11/21/2019 12:52:49.929 Description: No errors were detected
11/21/2019 12:52:49.929
11/21/2019 12:52:49.929 Performing a CaseInit
11/21/2019 12:52:49.929 LOAN_APPLICATION found. Send to store as Original Mismo 1003!
11/21/2019 12:52:50.604 Validating reply from CaseInit
11/21/2019 12:52:50.604 ----------------------------------------------------------------
11/21/2019 12:52:50.604 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:50.604 Fault type: Application Severity: Info
11/21/2019 12:52:50.604 Description: CaseInit completed successfully
11/21/2019 12:52:50.604
11/21/2019 12:52:50.604 Inst ID set for EH-020 [12121231]
11/21/2019 12:52:50.604 Casefile ID [xxxxxxx]
11/21/2019 12:52:50.604 lenderCaseNo [yyyyyyy]
11/21/2019 12:52:50.604 OperStatus_in_mp_casefile_set is not defined.
11/21/2019 12:52:50.604 Calling Credential service to get traits
11/21/2019 12:52:50.624 ----------------------------------------------------------------
11/21/2019 12:52:50.624 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:50.624 Fault type: Application Severity: Info
11/21/2019 12:52:50.624 Description: InstTraitRequest completed successfully
11/21/2019 12:52:50.624
11/21/2019 12:52:50.625 Call RESTBridge for conventional loan with GUID [abbababsbasasas],
11/21/2019 12:52:50.625 INST_INFO: 12121231|somecompany
11/21/2019 12:52:50.625
11/21/2019 12:52:50.625 Begin RESTBridgeSubsystem::callRESTBridge() ...
11/21/2019 12:52:50.625 BASE_GUID for VDVS [abbababsbasasas]
11/21/2019 12:52:50.625 Begin RESTBridgeSubsystem::sendRESTBridgeClientRequest...
11/21/2019 12:52:50.625 Call RESTBridgeProxy.sendRESTBridgeRequest:
11/21/2019 12:52:50.625 Svcname= RESTBridge
11/21/2019 12:52:50.625 Major= 1
11/21/2019 12:52:50.625 Minor= 0
11/21/2019 12:52:50.625 Command= RESTBridge
11/21/2019 12:52:50.628 End RESTBridgeSubsystem::sendRESTBridgeClientRequest
11/21/2019 12:52:50.628 End RESTBridgeSubsystem::callRESTBridge()
11/21/2019 12:52:50.628 SBAWF13Service_Impl:Underwrite:BESTFIT_PRODUCT_SPECIFICATIONS file attachment is not found. This is NOT a multi-product case
11/21/2019 12:52:50.629 Determine ProdAlt case:
11/21/2019 12:52:50.629 ProdAlt Flag [OFF]
11/21/2019 12:52:50.629 LoanType [01]
11/21/2019 12:52:50.629 prodAltTrait [0]
11/21/2019 12:52:50.629 This is NOT a Product alternative case!
11/21/2019 12:52:50.629 CONVERSION_TARGET: RES,HTML
11/21/2019 12:52:50.629 User format Request: XML,HTML
11/21/2019 12:52:50.629 Determining the underwriting service to be used
11/21/2019 12:52:50.629 Set to use Default engine UWROUTER,1,0 for underwriting
11/21/2019 12:52:50.629 Underwrite::determineUWService::multiProductCase =0
11/21/2019 12:52:50.629 This is not a multi-product case.
11/21/2019 12:52:50.629 ----------------------------------------------------------------
11/21/2019 12:52:50.629 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:50.629 Fault type: Application Severity: Info
11/21/2019 12:52:50.629 Description: This is a resubmission of a case that was underwritten using the
11/21/2019 12:52:50.629 UW_10.30 KB engine
11/21/2019 12:52:50.629
11/21/2019 12:52:50.629 UWROUTER service will be used for underwriting
11/21/2019 12:52:50.629 ----------------------------------------------------------------
11/21/2019 12:52:50.629 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:50.629 Fault type: Application Severity: Info
11/21/2019 12:52:50.629 Description: This case will be underwritten using UWROUTER 1.0
11/21/2019 12:52:50.629
11/21/2019 12:52:50.629 Calling Checklist1003
11/21/2019 12:52:50.670 ----------------------------------------------------------------
11/21/2019 12:52:50.670 Message type: Code: -1 dec, ffffffff hex
11/21/2019 12:52:50.670 Fault type: Unknown Severity: Info
11/21/2019 12:52:50.670 Description: Begin file type 104 checklist.
11/21/2019 12:52:50.670
11/21/2019 12:52:50.676 ----------------------------------------------------------------
11/21/2019 12:52:50.676 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:50.676 Fault type: Application Severity: Info
11/21/2019 12:52:50.676 Description: Checklist1003 completed successfully
11/21/2019 12:52:50.676
11/21/2019 12:52:50.676 SBAWF13Service_Impl.Underwrite: _creditReptMISMO = '1'
11/21/2019 12:52:50.676 SBAWF13Service_Impl.Underwrite: _MISMOVersion = '2.1'
11/21/2019 12:52:50.684 Loan Type: [01]
11/21/2019 12:52:50.708 ----------------------------------------------------------------
11/21/2019 12:52:50.708 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:50.708 Fault type: Application Severity: Info
11/21/2019 12:52:50.708 Description: createCrReportRequest completed successfully
11/21/2019 12:52:50.708
11/21/2019 12:52:50.708 No Credit Report requests are needed
11/21/2019 12:52:50.708 Calling ChecklistCred
11/21/2019 12:52:50.719 SINGLEIN=0
11/21/2019 12:52:50.732 ----------------------------------------------------------------
11/21/2019 12:52:50.732 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:50.732 Fault type: Application Severity: Info
11/21/2019 12:52:50.732 Description: ChecklistCred completed successfully
11/21/2019 12:52:50.732
11/21/2019 12:52:50.732 Autocopy not requested
11/21/2019 12:52:50.732 command : UNDERWRITE
11/21/2019 12:52:50.732 du underwrite : 1
11/21/2019 12:52:50.732 set BASE_GUID for DUKB service: abbababsbasasas
11/21/2019 12:52:50.732 Set processUndewrriteVars.conversionTarget = RES,HTML
11/21/2019 12:52:50.732 Call IDGen for Doc_Type[1], ID_Type[4], ID_Qty[1]
11/21/2019 12:52:50.749 IDGen returns condition [SUCCESS]
11/21/2019 12:52:50.749 Successfully retrieved new FindingID: 2085534376
11/21/2019 12:52:50.749 command : Underwrite
11/21/2019 12:52:50.749 du underwrite : 1
11/21/2019 12:52:50.749 Performing DU underwrite ...
11/21/2019 12:52:50.749 Calling UWROUTER 1.0 to underwrite the case
11/21/2019 12:52:50.750 Command[KB_Underwrite] set for Underwrite!
11/21/2019 12:52:52.901 Validating reply from UWROUTER_1_0
11/21/2019 12:52:52.901 ----------------------------------------------------------------
11/21/2019 12:52:52.901 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 12:52:52.901 Fault type: Application Severity: Info
11/21/2019 12:52:52.901 Description: UWROUTER completed successfully
11/21/2019 12:52:52.901
"
| rex field=data mode=sed "s/([\n\r])\d{2}\/\d{2}\/\d{4} \d{2}:\d{2}:\d{2}.\d{3}/\1/g"
| rex field=data max_match=0 "Calling Checklist[^\-]+[^\n]+\n[^\n]+(?<checklist>[^\-]+)"
| rex field=checklist "Description: (?<Description>[^\e]+)"
... View more
11-21-2019
10:00 AM
Actually try this instead:
| makeresults count=1
| eval data="Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 09:21:53.297 Fault type: Application Severity: Info
11/21/2019 09:21:53.297 Description: This is a resubmission of a case that was underwritten using the
11/21/2019 09:21:53.297 UW_10.30 KB engine
11/21/2019 09:21:53.297
11/21/2019 09:21:53.297 UWROUTER service will be used for underwriting
11/21/2019 09:21:53.297 ----------------------------------------------------------------
11/21/2019 09:21:53.297 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 09:21:53.297 Fault type: Application Severity: Info
11/21/2019 09:21:53.297 Description: This case will be underwritten using UWROUTER 1.0
11/21/2019 09:21:53.297
11/21/2019 09:21:53.297 Calling Checklist1003
11/21/2019 09:21:53.345 ----------------------------------------------------------------
11/21/2019 09:21:53.345 Message type: Code: 118310 dec, 1ce26 hex
11/21/2019 09:21:53.345 Fault type: Undefined Severity: Undefined
11/21/2019 09:21:53.345 Description: Hired From Date is missing for secondary employment for
11/21/2019 09:21:53.345 applicant .
11/21/2019 09:21:53.345
11/21/2019 09:21:53.358 -----------------------------------------"
| rex field=data mode=sed "s/([\n\r])\d{2}\/\d{2}\/\d{4} \d{2}:\d{2}:\d{2}.\d{3}/\1/g"
| rex field=data max_match=0 "Calling Checklist[^\n]+\n[^\n]+(?<checklist>[^\-]+)"
| rex field=checklist "Description: (?<Description>[^\e]+)"
I create a "checklist" field that grabs everything under calling checklist1003 between the "-" lines and then extracts the description from that. That is a cleaner way to do it I believe.
... View more
11-21-2019
09:51 AM
If you could paste a whole log event as an example (with anything sensitive fuzzed out) and confirm if you want all of the descriptions or only the ones after some specific pattern. If it's always after calling checklist1003 I can write a rex for that, if it's something else I would need to know that.
... View more
Contact Me
Karma given to
